Risky Business - Risky Biz Soapbox: Enterprise Yubikeys can now be pre-registered
Episode Date: December 8, 2024In this interview Patrick Gray talks to Yubico’s COO and President Jerrod Chong about a new Yubikey feature: pre-registration. You can now ship pre-registered Yubikey...s to your staff so you don’t need to rely on your staff to enrol them. They’ve achieved this with really slick Okta and Entra ID integrations. Jerrod also talks about a recent trip to Singapore and concerns he has about the cybersecurity of critical infrastructure in the energy sector.
Transcript
Discussion (0)
Hey everyone and welcome to this Soapbox edition of the Risky Business Podcast.
My name's Patrick Bray.
These Soapbox Podcasts are wholly sponsored and that means everyone you hear in one of them paid to be here.
And today's Soapbox is with Gerard Chong who is the Chief Operating Officer and President of Yubico
which of course make the Yubikey
hardware authentication devices.
I own one, I use one, I recommend you do the same.
I'm guessing most people listening to this
and watching this already know about Yubikeys.
But trying to deploy them at like enterprise wide scale
is not always the easiest thing.
And, you know, in these soap boxes,
we often talk about like big picture view,
how the sponsor sees the world.
And sometimes we talk product.
More often than not with Yubico though,
because their stuff I just find really interesting.
And today, the first thing we're going to talk about
with Jared is the Yubico enrollment suite.
Because really getting a user enrolled,
like previously you've had to rely on
people self-enrolling and there can be problems there. So now they've done a deal with Okta and
with Microsoft so that they can help you to like pre-register, pre-enroll your users so they can
just get their YubiKey mailed to their home address and it's already enrolled, it's already ready to
go. So that's a very cool new thing. So we'll be talking to him about that in just a moment. And then we're going to talk about Jared's reflections on cybersecurity in critical infrastructure. He recently was part of a delegation to Singapore where a lot of people were talking about critical infrastructure and cybersecurity sort of was not really a main topic, right, in a way that was somewhat concerning to Jared.
But he also explains that, you know,
governments are in a bit of a bind here
because if they start putting onerous cybersecurity requirements
on large infrastructure and, you know, energy projects,
they won't get funded by the private sector,
by the VC firms and by the banks,
which is where the money comes from to deliver
all of that good new infrastructure.
So that is the second part of this conversation.
But I'll drop you in here where I ask Jared to explain Yubico's enrollment suite and what
it actually does.
So here's Jared Chong.
So what we wanted to do was let's rethink about how do we enable out-of-the-box experience,
which is when you get the authenticator, it just works, right?
It's really provisioned for you.
We call it pre-registered for you,
and specifically for the service you want.
And so we'll be working specifically with the Octofocus for a while.
We GA'd the product two weeks ago.
And now we're working with Microsoft.
Because if you think about it, as an enterprise,
if you have an IDP
that you want to work with,
and you said you want highest assurance
and you want these authenticators
to exist for all your users
because you really treat this
as a high bar that you want to solve,
then the last thing you need
is to deal with two things.
Like logistically,
you've got to get it to all these users.
And secondly, you've got to tell these users what to do to start the journey.
And so we want to completely eliminate the first part of this journey,
which is you want a user to be onboarded with the best authenticator.
We get the authenticators to where it needs to go.
And we do the provisioning for you for the users.
So think of a new employee, for example. You start with a company. Your company has chosen
either Opta or Microsoft. And you said, I want the users to start working day one. I don't want
to have them wait around and don't have strong authentication and wait for IT to enable them.
The goal is when you get
your laptop or you bring your own device the day you start the authenticator shows up with you on
the same day and you're in business all you have to do is log in with the ubiki and a bit which is
most i mean previously you would have to you know the user would kind of have to do that themselves
or an administrator would have to do that for them right like it wouldn't just be you know, the user would kind of have to do that themselves or an administrator would have to do that for them, right? Like it wouldn't just be, you know,
I would think it would be unusual for that to be just ready to go, right?
For places that are using YubiKeys right now.
Yeah, and then you ask HR to work with IT
to figure out when the person is going to come to the office
or do some remote handshake and tell the person
this is your username ID or send an SMS with a temporary code.
You can imagine all the not great onboarding processes.
So we really took a hard look at what is the pain point for adoption at scale.
And I don't think it's just for an hardware authenticator.
I think software apps too, right?
I mean, we've heard from customers like,
we've got three different software with three different types of authenticator.
We've got a Microsoft authenticator, we've got three different software with three different types of authenticator. We've got a Microsoft authenticator.
We've got this Google authenticator.
And then sometimes we have this
other social media account authenticator.
It's really bad, honestly.
So we need to take all these provisioning things
that people don't talk about in the industry as much.
Now I think a lot of people are talking about it.
To just say, when I want to start my journey,
it just works. I don't want it to prevent me from a productive workforce or for their productive user
So walk us through the process then right because it's one thing to say. Oh, okay the Yubico
You know say the YubiKey Is just magically there when someone starts and it's ready to go. It's pre-enrolled everything
They can just you know touch the little button and bang, off it goes.
But what's the process for that having gotten there?
Yes.
You know?
Yeah, so we've introduced, you know, a suite of products
called the Enrollment Suite.
And so when you become a customer of YubiCall,
besides getting YubiKeys,
you actually sign up for the service.
It's called the YubiEnroll Suite which is part of the YubiKys, you actually sign up for the service. It's called the YubiEnroll suite
with part of the YubiKey as a service offering.
And also you have to be a customer of the IDP
that you are using, right?
Either it's Okta or Microsoft.
And so when you have these two components,
essentially you as the administrator
set up this workflow.
You tell Yubico,
this is, I want to use Okta as my IDP.
I have the, you know, what we call a service workflow.
When I onboard a user,
these are the API connections that I need to make.
And these are the users that I want to enable.
These are a process where the HR system
or the service system can provide the addresses.
There are various API calls.
And we take care of really, think of it, pre-enrolling a credential for Microsoft or Okta on behalf
of the user for the company.
And then we ship these keys that are pre-registered for, again, the customer with the IDP credentials
to the user.
And so we have a system in place, a service system in place
to connect to, could be, for example, a ServiceNow workflow
plus the Okta engine at the back.
And the IT individuals just says,
every time you have a new employee, kick off this workflow,
send out a YubiKey to this individual and you're in business okay so who's doing the sending of the
of the key that's you so there's some sort of api call and what does that go to their home address
do they need to have done this provisioning in advance of the staff members starting so that
they have the key or is there like as part of this workflow they can get in without it until it turns up or like how does that that part of it work so we do it's a part of the ubiquities
service we also do the delivery i mean some companies want to do it themselves in person
it's totally fine but quite a quite a number of customers would say ubico here is the you know
the hr onboarding and here's a set of users
or even could be existing users as well.
Go make the shipments, right?
So there are various APIs calls
that we communicate with the system of record
for the company.
And we take the addresses,
we slap a label on top of the package,
pre-registered YubiKey
and off it goes to, in most cases,
in a remote location or all matters.
Yeah right so what happens though if the key hasn't arrived by the time the user is you know
starting their job right? You know I'm guessing there's a there's a process there. Different
companies have different processes for how they would recover or give a temporary access I would
say for the users. Now an an interesting stat itself, right?
So Okta actually rolled this out for Okta employees themselves.
And they deployed 6,000 YubiKeys all over,
actually it was 42 countries in under four months.
And they have 100% coverage.
And you would say, well, they've got this Okta app,
which is true, they do have the Okta app.
So what they actually do is that it complements
when the Okta app and the YubiKeys work hand in hand.
So you can start off with the Okta app
and then have the YubiKey,
or you have the YubiKey and then you bootstrap the Okta app.
So it's really seamless from the perspective of like,
you should minimize any calls to the help desk.
And the user can self-serve
because they have the hardware authenticator
and the software app,
and they compliment each other.
Then they shouldn't be calling each other
when something or calling help desk
and something goes wrong.
So I think the industry needs to think beyond
trying to say it's an authentic hardware authenticator
versus software authenticator.
And I think if you look at a passwordless wall,
then the only thing that really ties you is some hardware.
It could be the hardware of the phone itself,
or it could be the hardware of the YubiKey, right?
Because there's nobody to call to reset anything,
which means that any time you call,
it's like, I got a new phone, I got to do something about it,
or I need my YubiKey, I need to do something about it.
So in both scenarios, it's a physical event.
And the more industry think about a physical event rather than some software magic, then I think we can close some of the gaps that we've seen. Because the attackers,
honestly, if you said everybody got final authentication with a YubiKey,
and all the attackers to do is, I've lost my phone or lost my YubiKey, please call help desk.
And the only way you
or the way that you get back into your account is send me an sms code then why even stop the
journey and maybe we talked about this before so yeah we did and it's interesting you know it's
you already mentioned you already kind of alluded to this when you talked about those api calls that
determine you know the address that a yubi key is going to to be sent to, I mean, that is a query of the HR system,
right? So unless an attacker has already managed to go into a HR system and change an address or
do some social engineering around that, plus having the existing credentials and onwards and
onwards and onwards, like it is a much more sort of robust procedure when you're using those HR
systems as like, I think you've described it as a source of truth for that address data.
But I guess, look, just going back to my question, which was like, well, you know, what do you do
when the key's not there yet? I guess what you're saying is just make sure the key gets there
in time. Absolutely. Yeah. Yeah, that makes sense. And I guess there would be other procedures,
right? If it's not there in time, you know, that would be the exception to the rule. And then a
admin could pull one out of a drawer and then you know do a separate provisioning or something like
that right yes and so that's why when we introduced an enormous suite we've also added a client piece
as well because we know some customers says we we can't wait for the keys but can i provision it
locally right think of it if you are in one of these countries that we are not we you know we
don't have the warehousing and it
takes some time to get there, especially in Asia, then some of the customers says, you
know, we have a local IT shop that we trust.
Can we just provision it at that location, like a call center, for example?
And we say, absolutely.
And so part of this enrollment suite, you have the capabilities for customers to take an application
and then do the enrollment on behalf of the user for, you know,
Okta or Microsoft in-house, so to speak.
Then it solves that, you know, I need a key right away
and I got a bunch of YubiKeys on the drawer here.
Well, let me just set it up for you right now and you can go.
Yeah.
I mean, I guess the
main point of all of this, the main benefit is that you're not relying on the users to self-enroll
anymore. Correct. Yeah. I mean, how much of a sticking point has that been to sort of universal
coverage at large organizations? I imagine there's always going to be a few hundred out of a few
thousand who just can't get there. Yes. And, Yes, and that's what we need to focus on,
which is where possible, you should make it,
let's solve for the 80% that you can actually get keys there,
provision them, and they have a very, very superior experience
to use the service when you start.
There's always going to be kind of places.
There's just no way physically,
whether it's places that
you can't get phones because the phones just don't work because it's a weird os and patch and all
these problems or the upg just can't clear customs or whatever there's always going to be these
counter cases and you have to probably default to some amount of not so great authentication
but the good news is that if you solve for the majority, then your risk engine can actually do the job
better, right? Think about it. If everyone has weak signals, then you have to pay attention to
all these weak signals all the time. If you said a category of problems is limited with 80%
of your users, then you can actually streamline your detection engine and all these other things
that people care about on the 20% or even less. And over time, it'll be a very tiny slice of it. So I don't think we should focus on
like, let's be perfect. I think we shouldn't be the enemy of good to try to solve what most
companies want, which is let's take care of the majority of my users, the most prized ones,
especially, then move to exception processing. Yeah, I mean,
proof point talk about that as well, right? Which is in the case of, you know, you've got these two
sets, which are people who get attacked a lot and people who tend to exhibit risky behaviors,
like clicking on every single link that arrives by email, executing every single attachment.
And once you've got like an overlap
over those very attacked people and the people who exhibit risky behaviors, you know, you know
where to apply your extra controls and your extra monitoring. And I guess you're saying the same
thing, which is the people who don't have that coverage, you know, you might want to look at
maybe different permissions or different access models for those people just to cover off that
risk a little. Exactly.
And we also talk about different policies, right?
So because it's not technology solves part of it, but also policy, right?
If the people who doesn't have a YubiKey, lost YubiKey, YubiKey is not there or the
phone app that doesn't have that and you have to depend on an SMS, then maybe they are restricted
to only do certain actions, right?
And maybe it's a short-lived session as well.
And so you kind of ratchet that up.
And I think it's one of the things we've heard from a customer is like,
you can't change everything at the same time,
but you can make it a little bit painful.
And so over time, you make it even more painful.
And so then people like don't lose things, right?
So of course, people are always going to lose things.
But if you make it both a carrot and a stick, and over time, you say, you know what, these are really risky
behaviors, and you seem to constantly lost the authenticator, like we're gonna let your manager's
manager know what's going on here. And it's like some something that got to change a human behavior
has to change. So I do think there's a human element to all of this. And I think sometimes
we forget that people are going to gravitate to
what they're comfortable for many many years and so when we introduce technology we should reduce
obviously the friction to adopt the technology but also understand that change management can
take a while so you know let's try not to solve every single thing at the same time when you kind
of launch your journey to to go with a new technology.
All right. Well, anyone who's interested in that can go Google Yubico Enrollment Suite and get all of the details on that. But Jared, now we're going to talk about your recent trip to Singapore. So
you went over as part of a delegation and met with a whole bunch of people who are talking about,
you know, big infrastructure projects. And you found that the lack of focus on cybersecurity was a little bit concerning.
And also that governments are in a bit of a bind, as I said at the intro,
because if they start putting onerous cybersecurity requirements on a lot of these projects,
they don't get funded. But look, let's just start with your reflections on this trip,
and then we'll get into it.
Yes, it's definitely an interesting visit for me.
It was the first state visit by the Majesty, the King of Sweden. And I was part of a Swedish business delegation to Singapore.
I'm Singaporean.
I work in the US and I work for a Swedish company.
So I represent a very interesting combination.
Yes, you're a Singaporean visiting from America with the king of Sweden.
Yes, exactly.
And I think, you know, we are all global citizens.
And, you know, in order for any company to say you want to make an impact globally,
you have to represent that view from all sides what this business trip was about was to
you know build some good relationships for swedish businesses and singapore i mean singapore actually
interestingly enough has a a long-standing relationship with several very big swedish
organizations or companies over the many years uh Singapore has gone independent.
You know, for example, you know, they've been working with Axion for a while.
They've been working with Saab and various projects that involves transportation, infrastructure, and so on and so forth. So I was part of this delegation.
I was, you know, I was, my eyes were open to sort of how these two nations have been collaborating and cooperating over the many years.
But the agenda for the visit was quite specific.
It was about creating a world where there's sustainable energy, which is, I think, all important, and as well as the ability to think about how nations can scale with some
of the latest technology and innovation.
Obviously, the AI is always going to be there in any business topic, but in terms of specific
areas like healthcare, for example, or transportation. So trying to modernize, you know, different parts of infrastructure
to scale for what we need as a society for future things.
And it always came back to an interesting conversation
about critical infrastructure, right?
Because if you think about energy, if you want to support the billions
and trillions of all these machines that
actually have to process things for the ai engines it's a lot of energy and then you ask your question
how you're going to get these energies to the right place in time if you don't want to depend
on the fossil fuels so then you have a lot of talk about storage and energy grids and who can
manage it it's a decentralized model and all these interesting conversations,
which is really refreshing in some ways.
Sweden, as we know,
is very forward in terms of sustainability.
But it was interesting
because when they talk about
all these gigantic critical infrastructure projects,
the word cybersecurity
starts to float to the top,
which is like,
if we don't protect critical infrastructure,
then everything collapses really quickly.
And I was pleasantly surprised to hear that cybersecurity is part of the mix as well,
besides just building big infrastructure roads and all these energy grids.
But I don't think that there is enough cybersecurity representation in some of these national
infrastructure projects.
It's always a side conversation in my view.
And it's quite evident because I think I was one of,
there were like 50 businesses and there were only two cybersecurity companies.
So I feel like as an industry and you,
you talk to all the cybersecurity folks everywhere in the world,
we're underrepresented
in some of these large-scale infrastructure projects.
And if we're underrepresented
in these large-scale infrastructure projects,
then you will bet that cybersecurity is a patchwork
when they start to roll it out.
And that's what I've observed,
which is eye-opening,
a bit humbling as well,
because people want to talk about cyber
security but no one is there to represent what to solve it's just the bad guys are going to attack
us we've got to defend them like okay what do you mean can you be more specific yeah what percentage
of this infrastructure spend should go into cyber security and what sort of controls are we most
worried about like they don't do that they they don't do that, right? No. I think though that it is changing, right?
I think funnily enough,
some of China's more recent campaigns
like Vault Typhoon in the Asia Pacific
have really made politicians
start thinking about these risks.
Did you feel like there was a bit of a disconnect
between the people who want to build the infrastructure,
like the private interests
who want to build the infrastructure, like the private interests who want to build the infrastructure,
and maybe some of the politicians who might oversee
some of these projects from the political dimension?
Was there any disconnect between the way those two cohorts
sort of thought about this stuff?
A little bit, right?
So give an example.
So they talk a little bit about, you know,
you need to invest in new green tech
to solve the sustainability problem. And the first question bit about, you know, you need to invest in new green tech to solve the sustainability problem.
And the first question was that, you know, who's going to fund this?
Who's going to fund this project?
And they brought three major areas, right?
You have the government.
Of course, they can do something.
They can invest.
Then they brought up private sector.
And in some ways, private sector are other banks or the banks actually you know
lend money and that's not one on the bc community and it seems like there isn't consensus to go big
it's like we need to show evidence that this tech is going to work first but that's
that's a conundrum right like how can you enable startups if the funding is low until it works if
it works it works i don't need your money anymore because it's i've been proven so there's there's this subtle conversation which
is like governments are only going to fund so much and the banks are making really really hard
to get loans and the vcs are not really interested because they only care about major you know
startups have proven a while and i think that this culture of nobody wants to go all in you've got to write policy
that forces people to think differently but then it is a constant challenge when you write policy
that industry says well then nobody's going to fund that if you make such a high bar so there
is a bit of that going on uh not just in singapore it's it's everywhere i think also anyone listening
to this who's interested in some of the energy stuff happening in that region, have a Google of Sun Cable, which is a plan to build
a massive solar farm in the Australian desert and then cable the electricity to Singapore.
And one of the Atlassian founders is behind that. And depending on who you talk to,
it's either genius or completely insane, but at least it's interesting. So just on that topic of, you know, critical infrastructure, has that been a growth, a
particular growth area for Yubico or is it one of those sectors that's trailing in an
alarming way?
Like, which way is the ball bouncing on critical infrastructure and you know fido off it's unfortunate that most
of our big infrastructure projects happen because something happened right we love to get ahead of
it and we i mean the reality is all these organizations energy companies folks that do
create the software create the systems and all and all these things, they understand the risk,
and the risk is really high.
They are fighting in resources and a whole bunch of other things.
But they only really act when we have an incident.
Remember Colonial Pipeline?
So only when such a catastrophic thing happens,
then the government steps in and starts to create policy
and almost mandate
everybody moves on and solve that.
We see, again, back to the first point, we don't see that at the beginning of the journey,
which is like, if you're going to build a new infrastructure that is really critical
for the growth of the nation, you need to have representation of cybersecurity folks
at the beginning.
And identity is part of the conversation in terms of making sure that infrastructure
cannot be hijacked by anyone.
So it's coming.
Some of the pressure we're going to massive, but it's really unfortunate because it took
an incident before people decided that that's what they want to focus on.
So I guess what you're saying is the critical infrastructure is lagging here. You know, because when I think of people who I know who have
Yubikeys, there's a lot of people who work in technology, maybe some people who work for higher
security environments like banks and whatever, where they're really motivated to keep attackers
out of their environment. Infrastructure operation seems all about margins, right? Like all about
doing it as cheaply as possible, right?
Because you're talking about, you know,
often basic services like energy, water, whatever,
but it's at massive scale.
And so they're just not going there.
Yeah, it's just like the OT environment.
It's the same, right?
They do what's necessary to get by tomorrow.
And if you need to think more than a few years out,
it's like, I'm going to try to improve my
infrastructure to deliver the energy faster first rather than i need to improve my infrastructure to
defend against cyber cyber attacks which is to your point i mean they are lagging for
quite obvious reasons because of the way that they operate as a business well i guess the point
you're making too is that governments can only do so much because if you start putting on a cyber security requirements onto a lot of these
projects, they won't get funded. Correct. And that's the head-on collision with the two entities
trying to do better. And then regulators saying that you've got to do all these things to be
compliant and grow the business. But then this is, well, who's going to actually fund all these things to be compliant and grow the business.
But then you say, well, who's going to actually fund all these projects?
Now, look, Gerard, a common theme that we often talk about
is the transformation to passwordless auth.
Part of me worries that this is a little bit like talking about
the year of Linux on the desktop, which is it's something that's always
just that little bit out of reach in the future. But how's all of that tracking? We've seen in some sectors like
hospitals, for example, are big on passwordless because it's just a lot easier for the staff who
are constantly having to move around between different terminals, imaging devices, whatever.
They can just passwordless off. Retail as well, people going onto registers and things like that.
Enterprise, I haven't heard all that much.
Like, where's it lagging?
Where is it booming?
Walk us through the state of passwordless in December 2024.
From an overall perspective, we're making progress as an industry.
Some would say we're making pretty reasonable progress in general. And some of us
would say, well, it's going as usual, takes time approach. From an enterprise perspective,
I think there's an awareness, I would say, for most organizations that have heard about strong authentication,
that there's a desire to go past all this.
And so if you are on the Microsoft track,
for example,
if that's what you're using as your IDP,
I think you've heard enough reasons why you want to go there.
And enterprises, however,
are not just Microsoft.
And I'll give you a little color on this one,
which is there are a lot of organizations
that depend on Microsoft IDP,
but there's a lot of organizations
that still create their own homegrown things.
And those organizations mostly
are in the high assurance scenarios, right?
Like financial sectors.
While they may have pockets of population using
Microsoft IDP, a lot
of it is what they want to
control. They want to depend on any cloud planner to
protect or
execute on their
vision of what is necessary for the end users,
for example. And so if you look at financial
institutions, there's still
a general reluctance
to just go passwordless. And I say this because
if you want to log in the bank for the last two or three decades, that's what you've been doing
for a long time, right? And so instead of the addition on there, it's like you log in with an
OTP code, right? You like username, password, and some OTP thing, SMS or app or whatever it is,
and all some push app thing.
To move that whole experience. Now, it's one thing to say I've moved everyone in Gmail to a passwordless flow because it works out of the box with Android, which is great.
But it's another thing that says that now every banking customer says that I want that too.
And there's a complete human reaction and you get this is you don't do that anymore
and they say what why not
like why can't I log in my password
I've been doing this for like so many years now
and it's almost built in grain
when you first remember
logging into your bank account
like when you were younger
and so I think the change can only happen
with a generational change
of how we log
into services.
Yeah. Rightio.
Well, Gerard Chong, we're going to wrap it up there.
It was great to see you, as always, for our annual
catch-up with Yubico to find out
what the state of things is.
A pleasure to chat to you, and we'll do it again
next year. Thank you very much, Patrick.